Home > Digital Forensics

Browser & App

Browser and application artifacts are some of the highest-value evidence sources in macOS forensic investigations. Users spend most of their time interacting with browsers, chat apps, productivity tools, and cloud services—and each of these applications logs data, caches files, stores metadata, and keeps historical records. Attackers also frequently misuse browsers and apps for data exfiltration, credential theft, persistence, and command execution.

This chapter explains how to investigate browser activity and application artifacts on macOS, where the most important evidence is stored, and how to extract intelligence from these sources.

Browser Forensics on macOS

macOS systems commonly use:

  • Safari (default)

  • Google Chrome

  • Mozilla Firefox

  • Brave, Opera, Edge (Chromium-based)

Each browser stores browsing history, downloads, cookies, caches, session data, autofill information, saved passwords, and more.

Safari Forensics

Safari stores its artifacts inside:

~/Library/Safari/
~/Library/Containers/com.apple.Safari/
~/Library/WebKit/

Key Artifacts:

1. History.db

SQLite database containing:

  • Visited URLs

  • Page titles

  • Timestamps

  • Visit counts

  • Last visited time

2. Downloads.plist

Tracks file downloads:

  • File names

  • Original URLs

  • Download timestamp

  • Final saved location

3. LastSession.plist

Shows tabs and windows open before the last quit or crash.

4. Favicons / Thumbnails

Stores images of visited pages—useful for visual reconstruction.

5. Cookies.binarycookies

Binary file storing:

  • Auth tokens

  • Session cookies

  • Tracking data

Google Chrome Forensics

Chrome’s artifacts are stored in:

~/Library/Application Support/Google/Chrome/Default/

Key Databases:

1. History

SQLite database containing:

  • URLs

  • Visit times

  • Typed URLs

  • Download history

  • Redirect chains

2. Cookies

Encrypted cookies stored in SQLite database:

  • Requires macOS Keychain access

  • Can be decrypted if logged in or using Keychain tokens

3. Login Data

Stores saved passwords (encrypted by Keychain).

4. Top Sites

Lists most visited websites.

5. Cache & Code Cache

Useful for retrieving:

  • Cached images

  • JavaScript code

  • HTML fragments

  • Deleted browsing remnants

Mozilla Firefox Forensics

Firefox artifacts are located at:

~/Library/Application Support/Firefox/Profiles/<profile>/

Key Artifacts:

  • places.sqlite → History + Bookmarks

  • cookies.sqlite

  • downloads.sqlite

  • formhistory.sqlite

  • sessionstore-backups/ → Open tabs & sessions

  • cache2/ → Cached content

Firefox stores very rich metadata, making it highly valuable.

Identifying Browser-Based Malware Activity

Browsers can reveal:

  • Malicious file downloads

  • Visits to phishing websites

  • Suspicious Google searches

  • Credential harvesting attempts

  • Command execution via browser-based shells

  • Web-based exfiltration methods

Investigators should correlate:

  • Download history

  • File system events

  • KnowledgeC app usage

  • FSEvents logs

  • Network logs

Application Forensics on macOS

Applications store logs, caches, databases, and preference files inside user directories.

The most important forensic locations include:

~/Library/Application Support/
~/Library/Containers/
~/Library/Preferences/
~/Library/Caches/
~/Library/Logs/

Messaging & Communication Apps

These applications often contain high-value evidence such as messages, attachments, call logs, and metadata.

iMessage / Messages App

Location:

~/Library/Messages/chat.db
~/Library/Messages/Attachments/

Contents:

  • iMessage & SMS messages

  • Sender/receiver info

  • Attachments

  • Timestamps

  • Deleted messages (sometimes recoverable)

FaceTime

Location:

~/Library/Preferences/com.apple.FaceTime.plist

Artifacts:

  • Call logs

  • Contact info

  • VoIP metadata

WhatsApp Desktop

Location:

~/Library/Containers/desktop.WhatsApp/`

Stores:

  • Chat logs (encrypted)

  • Cached media

  • Sync metadata

Telegram Desktop

Location:

~/Library/Application Support/Telegram Desktop/`

Stores:

  • Message history

  • Caches

  • Thumbnails

  • Recently accessed media

Zoom, Slack, Discord, Teams

Each keeps logs and usage history:

  • Timestamps

  • Login times

  • Chat logs

  • Meeting metadata

  • File transfers

  • Cached JSON logs

These apps are incredibly important for insider threat investigations.

Productivity App Artifacts

Applications like Office, Adobe, and Apple’s built-in apps store large amounts of metadata.

Microsoft Office

Location:

~/Library/Containers/com.microsoft.*

Artifacts include:

  • Recent documents

  • Auto-recovery files

  • Metadata logs

  • Cloud sync traces (OneDrive)

Apple Notes

Location:

~/Library/Group Containers/group.com.apple.notes/`

Contains:

  • Notes database

  • Deleted notes

  • Attachments (images, scans)

Preview app

Stores:

  • Recently opened PDFs

  • Annotations

  • Thumbnails

  • Signatures

Security & System Apps

Some system-level apps store key security data.

Keychain

Location:

~/Library/Keychains/

Contains:

  • Saved passwords

  • Wi-Fi credentials

  • App tokens

  • Browser login data

Requires password or system unlock to decrypt.

Gatekeeper Logs

Track executed apps:

/var/log/install.log
/System/Library/CoreServices/

Shows:

  • First-time app launches

  • Signature verification

  • Execution warnings

Cloud Application Evidence

Cloud sync apps leave strong forensic artifacts:

Dropbox

~/Library/Application Support/Dropbox/

Google Drive / Drive File Stream

~/Library/Application Support/Google/DriveFS/

OneDrive

~/Library/Containers/com.microsoft.OneDrive-mac/

These apps reveal:

  • Synced files

  • Deleted items

  • Upload/download records

  • Account info

  • Device linkage

Intel Dump

High-Value Intel Extracted from Browser & App Forensics

  • Safari, Chrome, and Firefox store rich browsing history, download records, cookies, and session artifacts.

  • Safari’s History.db and Chrome’s History files are essential for tracing user web activity.

  • Browser cache directories often contain fragments of deleted pages, images, and scripts.

  • Cookies and login data (even when encrypted) can reveal account usage and logins.

  • Communication apps (iMessage, Slack, Discord, Zoom, WhatsApp) store chat logs, attachments, and connection metadata.

  • Productivity apps like Office and Notes store recent file access info, auto-recover files, and hidden metadata.

  • Keychain stores encrypted credentials and authentication tokens—critical for security investigations.

  • Cloud apps (Dropbox, Drive, OneDrive) record sync metadata, remote deletions, and shared documents.

  • Combining browser activity with KnowledgeC and FSEvents creates a precise timeline of user behavior and file interaction.

 

 

 

HOME COMMUNITY CAREERS DASHBOARD